Skip to content

fix(authentication-oauth): prevent open redirect via domain suffix attack #3669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
daffl merged 1 commit into from
Mar 19, 2026
+100 −3
Merged

fix(authentication-oauth): prevent open redirect via domain suffix attack #3669

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions packages/authentication-oauth/src/strategy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,9 +106,13 @@ export class OAuthStrategy extends AuthenticationBaseStrategy {
}

// Validate redirect parameter to prevent open redirect via URL authority injection
// Reject characters that could change the URL's authority: @, //, \
// e.g., @attacker.com would make https://target.com@attacker.com redirect to attacker.com
if (queryRedirect && /[@\\]|^\/\/|\/\//.test(queryRedirect)) {
// Only allow relative paths starting with / to prevent:
// - @attacker.com -> https://target.com@attacker.com (authority injection)
// - .attacker.com -> https://target.com.attacker.com (domain suffix attack)
// - -attacker.com -> https://target.com-attacker.com (domain suffix attack)
// - //attacker.com -> protocol-relative redirect
// - \attacker.com -> backslash redirect
if (queryRedirect && (!/^\//.test(queryRedirect) || /[@\\]|\/\//.test(queryRedirect))) {
throw new NotAuthenticated('Invalid redirect path.')
}

Expand Down
93 changes: 93 additions & 0 deletions packages/authentication-oauth/test/strategy.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,99 @@ describe('@feathersjs/authentication-oauth/strategy security', () => {
})
})

describe('open redirect via domain suffix attack', () => {
beforeEach(() => {
app.get('authentication').oauth.origins = ['https://target.com']
})

afterEach(() => {
delete app.get('authentication').oauth.origins
})

it('should reject redirect starting with dot (domain suffix attack)', async () => {
// Attack: ?redirect=.attacker.com -> https://target.com.attacker.com
await assert.rejects(
() =>
strategy.getRedirect(
{ accessToken: 'testing' },
{
redirect: '.attacker.com',
headers: {
referer: 'https://target.com/login'
}
}
),
{
name: 'NotAuthenticated'
}
)
})

it('should reject redirect starting with hyphen (domain suffix attack)', async () => {
// Attack: ?redirect=-attacker.com -> https://target.com-attacker.com
await assert.rejects(
() =>
strategy.getRedirect(
{ accessToken: 'testing' },
{
redirect: '-attacker.com',
headers: {
referer: 'https://target.com/login'
}
}
),
{
name: 'NotAuthenticated'
}
)
})

it('should reject redirect with bare domain', async () => {
// Attack: ?redirect=attacker.com -> https://target.comattacker.com
await assert.rejects(
() =>
strategy.getRedirect(
{ accessToken: 'testing' },
{
redirect: 'attacker.com',
headers: {
referer: 'https://target.com/login'
}
}
),
{
name: 'NotAuthenticated'
}
)
})

it('should allow valid relative path redirect', async () => {
const redirect = await strategy.getRedirect(
{ accessToken: 'testing' },
{
redirect: '/dashboard',
headers: {
referer: 'https://target.com/login'
}
}
)
assert.equal(redirect, 'https://target.com/dashboard#access_token=testing')
})

it('should allow relative path with query string', async () => {
const redirect = await strategy.getRedirect(
{ accessToken: 'testing' },
{
redirect: '/callback?state=abc',
headers: {
referer: 'https://target.com/login'
}
}
)
assert.ok(redirect!.startsWith('https://target.com/callback?state=abc'))
})
})

describe('origin validation bypass via startsWith', () => {
beforeEach(() => {
app.get('authentication').oauth.origins = ['https://target.com']
Expand Down
Loading